diff --git a/BUILD b/BUILD index c569482d853..90649cab771 100644 --- a/BUILD +++ b/BUILD @@ -325,6 +325,7 @@ grpc_cc_library( public_hdrs = GRPC_PUBLIC_HDRS + GRPC_SECURE_PUBLIC_HDRS, standalone = True, deps = [ + "grpc_authorization_engine", "grpc_common", "grpc_lb_policy_cds_secure", "grpc_lb_policy_eds_secure", @@ -1864,6 +1865,9 @@ grpc_cc_library( "src/core/lib/security/authorization/mock_cel/activation.h", "src/core/lib/security/authorization/mock_cel/cel_value.h", ], + external_deps = [ + "absl/container:flat_hash_set", + ], language = "c++", deps = [ "envoy_ads_upb", diff --git a/BUILD.gn b/BUILD.gn index 39b3de12650..dff49edae1a 100644 --- a/BUILD.gn +++ b/BUILD.gn @@ -788,6 +788,12 @@ config("grpc_config") { "src/core/lib/json/json.h", "src/core/lib/json/json_reader.cc", "src/core/lib/json/json_writer.cc", + "src/core/lib/security/authorization/authorization_engine.cc", + "src/core/lib/security/authorization/authorization_engine.h", + "src/core/lib/security/authorization/evaluate_args.cc", + "src/core/lib/security/authorization/evaluate_args.h", + "src/core/lib/security/authorization/mock_cel/activation.h", + "src/core/lib/security/authorization/mock_cel/cel_value.h", "src/core/lib/security/context/security_context.cc", "src/core/lib/security/context/security_context.h", "src/core/lib/security/credentials/alts/alts_credentials.cc", @@ -1003,6 +1009,7 @@ config("grpc_config") { ":absl/strings:strings", ":absl/status:status", ":absl/container:inlined_vector", + ":absl/container:flat_hash_set", "//third_party/cares", ":address_sorting", ] diff --git a/CMakeLists.txt b/CMakeLists.txt index 6d679bf6092..5018904956e 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -103,14 +103,19 @@ set_property(CACHE gRPC_ABSL_PROVIDER PROPERTY STRINGS "module" "package") set(gRPC_ABSL_USED_TARGETS absl_algorithm + absl_algorithm_container absl_atomic_hook absl_bad_optional_access + absl_bad_variant_access absl_base absl_base_internal absl_bits + absl_city absl_civil_time absl_compressed_tuple absl_config + absl_container_common + absl_container_memory absl_cord absl_core_headers absl_debugging_internal @@ -118,17 +123,27 @@ set(gRPC_ABSL_USED_TARGETS absl_dynamic_annotations absl_endian absl_errno_saver + absl_exponential_biased absl_fixed_array + absl_flat_hash_set absl_function_ref absl_graphcycles_internal + absl_hash + absl_hash_function_defaults + absl_hash_policy_traits + absl_hashtable_debug_hooks + absl_hashtablez_sampler + absl_have_sse absl_inlined_vector absl_inlined_vector_internal absl_int128 absl_kernel_timeout_internal + absl_layout absl_log_severity absl_malloc_internal absl_memory absl_optional + absl_raw_hash_set absl_raw_logging_internal absl_span absl_spinlock_wait @@ -145,6 +160,7 @@ set(gRPC_ABSL_USED_TARGETS absl_time_zone absl_type_traits absl_utility + absl_variant absl_meta ) @@ -795,6 +811,7 @@ if(gRPC_BUILD_TESTS) add_dependencies(buildtests_cxx duplicate_header_bad_client_test) add_dependencies(buildtests_cxx end2end_test) add_dependencies(buildtests_cxx error_details_test) + add_dependencies(buildtests_cxx evaluate_args_test) add_dependencies(buildtests_cxx eventmanager_libuv_test) add_dependencies(buildtests_cxx exception_test) add_dependencies(buildtests_cxx filter_end2end_test) @@ -1704,6 +1721,8 @@ add_library(grpc src/core/lib/iomgr/work_serializer.cc src/core/lib/json/json_reader.cc src/core/lib/json/json_writer.cc + src/core/lib/security/authorization/authorization_engine.cc + src/core/lib/security/authorization/evaluate_args.cc src/core/lib/security/context/security_context.cc src/core/lib/security/credentials/alts/alts_credentials.cc src/core/lib/security/credentials/alts/check_gcp_environment.cc @@ -1860,6 +1879,7 @@ target_link_libraries(grpc absl::strings absl::status absl::inlined_vector + absl::flat_hash_set ) if(_gRPC_PLATFORM_IOS OR _gRPC_PLATFORM_MAC) target_link_libraries(grpc "-framework CoreFoundation") @@ -1946,6 +1966,7 @@ if(gRPC_BUILD_TESTS) add_library(grpc_test_util test/core/util/cmdline.cc test/core/util/debugger_macros.cc + test/core/util/eval_args_mock_endpoint.cc test/core/util/fuzzer_util.cc test/core/util/grpc_profiler.cc test/core/util/histogram.cc @@ -2012,6 +2033,7 @@ if(gRPC_BUILD_TESTS) add_library(grpc_test_util_unsecure test/core/util/cmdline.cc test/core/util/debugger_macros.cc + test/core/util/eval_args_mock_endpoint.cc test/core/util/fuzzer_util.cc test/core/util/grpc_profiler.cc test/core/util/histogram.cc @@ -8410,8 +8432,6 @@ endif() if(gRPC_BUILD_TESTS) add_executable(authorization_engine_test - src/core/lib/security/authorization/authorization_engine.cc - src/core/lib/security/authorization/evaluate_args.cc test/core/security/authorization_engine_test.cc third_party/googletest/googletest/src/gtest-all.cc third_party/googletest/googlemock/src/gmock-all.cc @@ -10747,6 +10767,45 @@ target_link_libraries(error_details_test ) +endif() +if(gRPC_BUILD_TESTS) + +add_executable(evaluate_args_test + test/core/security/evaluate_args_test.cc + third_party/googletest/googletest/src/gtest-all.cc + third_party/googletest/googlemock/src/gmock-all.cc +) + +target_include_directories(evaluate_args_test + PRIVATE + ${CMAKE_CURRENT_SOURCE_DIR} + ${CMAKE_CURRENT_SOURCE_DIR}/include + ${_gRPC_ADDRESS_SORTING_INCLUDE_DIR} + ${_gRPC_RE2_INCLUDE_DIR} + ${_gRPC_SSL_INCLUDE_DIR} + ${_gRPC_UPB_GENERATED_DIR} + ${_gRPC_UPB_GRPC_GENERATED_DIR} + ${_gRPC_UPB_INCLUDE_DIR} + ${_gRPC_ZLIB_INCLUDE_DIR} + third_party/googletest/googletest/include + third_party/googletest/googletest + third_party/googletest/googlemock/include + third_party/googletest/googlemock + ${_gRPC_PROTO_GENS_DIR} +) + +target_link_libraries(evaluate_args_test + ${_gRPC_PROTOBUF_LIBRARIES} + ${_gRPC_ALLTARGETS_LIBRARIES} + grpc_test_util + grpc + gpr + address_sorting + upb + ${_gRPC_GFLAGS_LIBRARIES} +) + + endif() if(gRPC_BUILD_TESTS) @@ -14684,6 +14743,7 @@ if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_MAC OR _gRPC_PLATFORM_POSIX) ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/simple_messages.grpc.pb.h test/core/util/cmdline.cc test/core/util/debugger_macros.cc + test/core/util/eval_args_mock_endpoint.cc test/core/util/fuzzer_util.cc test/core/util/grpc_profiler.cc test/core/util/histogram.cc @@ -15625,7 +15685,7 @@ generate_pkgconfig( "high performance general RPC framework" "${gRPC_CORE_VERSION}" "gpr openssl" - "-lgrpc -laddress_sorting -lre2 -lupb -lcares -lz -labsl_status -labsl_cord -labsl_bad_optional_access -labsl_str_format_internal -labsl_synchronization -labsl_graphcycles_internal -labsl_symbolize -labsl_demangle_internal -labsl_stacktrace -labsl_debugging_internal -labsl_malloc_internal -labsl_time -labsl_time_zone -labsl_civil_time -labsl_strings -labsl_strings_internal -labsl_throw_delegate -labsl_int128 -labsl_base -labsl_spinlock_wait -labsl_raw_logging_internal -labsl_log_severity -labsl_dynamic_annotations" + "-lgrpc -laddress_sorting -lre2 -lupb -lcares -lz -labsl_raw_hash_set -labsl_hashtablez_sampler -labsl_exponential_biased -labsl_hash -labsl_bad_variant_access -labsl_city -labsl_status -labsl_cord -labsl_bad_optional_access -labsl_str_format_internal -labsl_synchronization -labsl_graphcycles_internal -labsl_symbolize -labsl_demangle_internal -labsl_stacktrace -labsl_debugging_internal -labsl_malloc_internal -labsl_time -labsl_time_zone -labsl_civil_time -labsl_strings -labsl_strings_internal -labsl_throw_delegate -labsl_int128 -labsl_base -labsl_spinlock_wait -labsl_raw_logging_internal -labsl_log_severity -labsl_dynamic_annotations" "" "grpc.pc") @@ -15645,7 +15705,7 @@ generate_pkgconfig( "C++ wrapper for gRPC" "${gRPC_CPP_VERSION}" "grpc" - "-lgrpc++ -labsl_status -labsl_cord -labsl_bad_optional_access -labsl_str_format_internal -labsl_synchronization -labsl_graphcycles_internal -labsl_symbolize -labsl_demangle_internal -labsl_stacktrace -labsl_debugging_internal -labsl_malloc_internal -labsl_time -labsl_time_zone -labsl_civil_time -labsl_strings -labsl_strings_internal -labsl_throw_delegate -labsl_int128 -labsl_base -labsl_spinlock_wait -labsl_raw_logging_internal -labsl_log_severity -labsl_dynamic_annotations" + "-lgrpc++ -labsl_raw_hash_set -labsl_hashtablez_sampler -labsl_exponential_biased -labsl_hash -labsl_bad_variant_access -labsl_city -labsl_status -labsl_cord -labsl_bad_optional_access -labsl_str_format_internal -labsl_synchronization -labsl_graphcycles_internal -labsl_symbolize -labsl_demangle_internal -labsl_stacktrace -labsl_debugging_internal -labsl_malloc_internal -labsl_time -labsl_time_zone -labsl_civil_time -labsl_strings -labsl_strings_internal -labsl_throw_delegate -labsl_int128 -labsl_base -labsl_spinlock_wait -labsl_raw_logging_internal -labsl_log_severity -labsl_dynamic_annotations" "" "grpc++.pc") diff --git a/Makefile b/Makefile index 96979e9ece2..08bf9d470d1 100644 --- a/Makefile +++ b/Makefile @@ -2312,6 +2312,8 @@ LIBGRPC_SRC = \ src/core/lib/iomgr/work_serializer.cc \ src/core/lib/json/json_reader.cc \ src/core/lib/json/json_writer.cc \ + src/core/lib/security/authorization/authorization_engine.cc \ + src/core/lib/security/authorization/evaluate_args.cc \ src/core/lib/security/context/security_context.cc \ src/core/lib/security/credentials/alts/alts_credentials.cc \ src/core/lib/security/credentials/alts/check_gcp_environment.cc \ @@ -4430,6 +4432,7 @@ endif LIBGRPC_ABSEIL_SRC = \ third_party/abseil-cpp/absl/base/dynamic_annotations.cc \ third_party/abseil-cpp/absl/base/internal/cycleclock.cc \ + third_party/abseil-cpp/absl/base/internal/exponential_biased.cc \ third_party/abseil-cpp/absl/base/internal/low_level_alloc.cc \ third_party/abseil-cpp/absl/base/internal/raw_logging.cc \ third_party/abseil-cpp/absl/base/internal/spinlock.cc \ @@ -4439,12 +4442,17 @@ LIBGRPC_ABSEIL_SRC = \ third_party/abseil-cpp/absl/base/internal/throw_delegate.cc \ third_party/abseil-cpp/absl/base/internal/unscaledcycleclock.cc \ third_party/abseil-cpp/absl/base/log_severity.cc \ + third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.cc \ + third_party/abseil-cpp/absl/container/internal/hashtablez_sampler_force_weak_definition.cc \ + third_party/abseil-cpp/absl/container/internal/raw_hash_set.cc \ third_party/abseil-cpp/absl/debugging/internal/address_is_readable.cc \ third_party/abseil-cpp/absl/debugging/internal/demangle.cc \ third_party/abseil-cpp/absl/debugging/internal/elf_mem_image.cc \ third_party/abseil-cpp/absl/debugging/internal/vdso_support.cc \ third_party/abseil-cpp/absl/debugging/stacktrace.cc \ third_party/abseil-cpp/absl/debugging/symbolize.cc \ + third_party/abseil-cpp/absl/hash/internal/city.cc \ + third_party/abseil-cpp/absl/hash/internal/hash.cc \ third_party/abseil-cpp/absl/numeric/int128.cc \ third_party/abseil-cpp/absl/status/status.cc \ third_party/abseil-cpp/absl/status/status_payload_printer.cc \ @@ -4495,6 +4503,7 @@ LIBGRPC_ABSEIL_SRC = \ third_party/abseil-cpp/absl/time/internal/cctz/src/zone_info_source.cc \ third_party/abseil-cpp/absl/time/time.cc \ third_party/abseil-cpp/absl/types/bad_optional_access.cc \ + third_party/abseil-cpp/absl/types/bad_variant_access.cc \ LIBGRPC_ABSEIL_OBJS = $(addprefix $(OBJDIR)/$(CONFIG)/, $(addsuffix .o, $(basename $(LIBGRPC_ABSEIL_SRC)))) @@ -4769,6 +4778,8 @@ src/core/ext/upb-generated/src/proto/grpc/gcp/handshaker.upb.c: $(OPENSSL_DEP) src/core/ext/upb-generated/src/proto/grpc/gcp/transport_security_common.upb.c: $(OPENSSL_DEP) src/core/ext/xds/xds_channel_secure.cc: $(OPENSSL_DEP) src/core/lib/http/httpcli_security_connector.cc: $(OPENSSL_DEP) +src/core/lib/security/authorization/authorization_engine.cc: $(OPENSSL_DEP) +src/core/lib/security/authorization/evaluate_args.cc: $(OPENSSL_DEP) src/core/lib/security/context/security_context.cc: $(OPENSSL_DEP) src/core/lib/security/credentials/alts/alts_credentials.cc: $(OPENSSL_DEP) src/core/lib/security/credentials/alts/check_gcp_environment.cc: $(OPENSSL_DEP) diff --git a/build_autogenerated.yaml b/build_autogenerated.yaml index 7228789cb16..f69c85f697e 100644 --- a/build_autogenerated.yaml +++ b/build_autogenerated.yaml @@ -651,6 +651,10 @@ libs: - src/core/lib/iomgr/wakeup_fd_posix.h - src/core/lib/iomgr/work_serializer.h - src/core/lib/json/json.h + - src/core/lib/security/authorization/authorization_engine.h + - src/core/lib/security/authorization/evaluate_args.h + - src/core/lib/security/authorization/mock_cel/activation.h + - src/core/lib/security/authorization/mock_cel/cel_value.h - src/core/lib/security/context/security_context.h - src/core/lib/security/credentials/alts/alts_credentials.h - src/core/lib/security/credentials/alts/check_gcp_environment.h @@ -1059,6 +1063,8 @@ libs: - src/core/lib/iomgr/work_serializer.cc - src/core/lib/json/json_reader.cc - src/core/lib/json/json_writer.cc + - src/core/lib/security/authorization/authorization_engine.cc + - src/core/lib/security/authorization/evaluate_args.cc - src/core/lib/security/context/security_context.cc - src/core/lib/security/credentials/alts/alts_credentials.cc - src/core/lib/security/credentials/alts/check_gcp_environment.cc @@ -1177,6 +1183,7 @@ libs: - absl/strings:strings - absl/status:status - absl/container:inlined_vector + - absl/container:flat_hash_set baselib: true deps_linkage: static dll: true @@ -1203,6 +1210,7 @@ libs: headers: - test/core/util/cmdline.h - test/core/util/debugger_macros.h + - test/core/util/eval_args_mock_endpoint.h - test/core/util/fuzzer_util.h - test/core/util/grpc_profiler.h - test/core/util/histogram.h @@ -1222,6 +1230,7 @@ libs: src: - test/core/util/cmdline.cc - test/core/util/debugger_macros.cc + - test/core/util/eval_args_mock_endpoint.cc - test/core/util/fuzzer_util.cc - test/core/util/grpc_profiler.cc - test/core/util/histogram.cc @@ -1252,6 +1261,7 @@ libs: headers: - test/core/util/cmdline.h - test/core/util/debugger_macros.h + - test/core/util/eval_args_mock_endpoint.h - test/core/util/fuzzer_util.h - test/core/util/grpc_profiler.h - test/core/util/histogram.h @@ -1271,6 +1281,7 @@ libs: src: - test/core/util/cmdline.cc - test/core/util/debugger_macros.cc + - test/core/util/eval_args_mock_endpoint.cc - test/core/util/fuzzer_util.cc - test/core/util/grpc_profiler.cc - test/core/util/histogram.cc @@ -4769,14 +4780,8 @@ targets: gtest: true build: test language: c++ - headers: - - src/core/lib/security/authorization/authorization_engine.h - - src/core/lib/security/authorization/evaluate_args.h - - src/core/lib/security/authorization/mock_cel/activation.h - - src/core/lib/security/authorization/mock_cel/cel_value.h + headers: [] src: - - src/core/lib/security/authorization/authorization_engine.cc - - src/core/lib/security/authorization/evaluate_args.cc - test/core/security/authorization_engine_test.cc deps: - grpc_test_util @@ -5815,6 +5820,19 @@ targets: - gpr - address_sorting - upb +- name: evaluate_args_test + gtest: true + build: test + language: c++ + headers: [] + src: + - test/core/security/evaluate_args_test.cc + deps: + - grpc_test_util + - grpc + - gpr + - address_sorting + - upb - name: eventmanager_libuv_test gtest: true build: test @@ -7503,6 +7521,7 @@ targets: headers: - test/core/util/cmdline.h - test/core/util/debugger_macros.h + - test/core/util/eval_args_mock_endpoint.h - test/core/util/fuzzer_util.h - test/core/util/grpc_profiler.h - test/core/util/histogram.h @@ -7525,6 +7544,7 @@ targets: - src/proto/grpc/testing/simple_messages.proto - test/core/util/cmdline.cc - test/core/util/debugger_macros.cc + - test/core/util/eval_args_mock_endpoint.cc - test/core/util/fuzzer_util.cc - test/core/util/grpc_profiler.cc - test/core/util/histogram.cc diff --git a/config.m4 b/config.m4 index 8b1a28664da..68098a6eddf 100644 --- a/config.m4 +++ b/config.m4 @@ -392,6 +392,8 @@ if test "$PHP_GRPC" != "no"; then src/core/lib/json/json_writer.cc \ src/core/lib/profiling/basic_timers.cc \ src/core/lib/profiling/stap_timers.cc \ + src/core/lib/security/authorization/authorization_engine.cc \ + src/core/lib/security/authorization/evaluate_args.cc \ src/core/lib/security/context/security_context.cc \ src/core/lib/security/credentials/alts/alts_credentials.cc \ src/core/lib/security/credentials/alts/check_gcp_environment.cc \ @@ -514,6 +516,7 @@ if test "$PHP_GRPC" != "no"; then src/php/ext/grpc/timeval.c \ third_party/abseil-cpp/absl/base/dynamic_annotations.cc \ third_party/abseil-cpp/absl/base/internal/cycleclock.cc \ + third_party/abseil-cpp/absl/base/internal/exponential_biased.cc \ third_party/abseil-cpp/absl/base/internal/low_level_alloc.cc \ third_party/abseil-cpp/absl/base/internal/raw_logging.cc \ third_party/abseil-cpp/absl/base/internal/spinlock.cc \ @@ -523,12 +526,17 @@ if test "$PHP_GRPC" != "no"; then third_party/abseil-cpp/absl/base/internal/throw_delegate.cc \ third_party/abseil-cpp/absl/base/internal/unscaledcycleclock.cc \ third_party/abseil-cpp/absl/base/log_severity.cc \ + third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.cc \ + third_party/abseil-cpp/absl/container/internal/hashtablez_sampler_force_weak_definition.cc \ + third_party/abseil-cpp/absl/container/internal/raw_hash_set.cc \ third_party/abseil-cpp/absl/debugging/internal/address_is_readable.cc \ third_party/abseil-cpp/absl/debugging/internal/demangle.cc \ third_party/abseil-cpp/absl/debugging/internal/elf_mem_image.cc \ third_party/abseil-cpp/absl/debugging/internal/vdso_support.cc \ third_party/abseil-cpp/absl/debugging/stacktrace.cc \ third_party/abseil-cpp/absl/debugging/symbolize.cc \ + third_party/abseil-cpp/absl/hash/internal/city.cc \ + third_party/abseil-cpp/absl/hash/internal/hash.cc \ third_party/abseil-cpp/absl/numeric/int128.cc \ third_party/abseil-cpp/absl/status/status.cc \ third_party/abseil-cpp/absl/status/status_payload_printer.cc \ @@ -579,6 +587,7 @@ if test "$PHP_GRPC" != "no"; then third_party/abseil-cpp/absl/time/internal/cctz/src/zone_info_source.cc \ third_party/abseil-cpp/absl/time/time.cc \ third_party/abseil-cpp/absl/types/bad_optional_access.cc \ + third_party/abseil-cpp/absl/types/bad_variant_access.cc \ third_party/address_sorting/address_sorting.c \ third_party/address_sorting/address_sorting_posix.c \ third_party/address_sorting/address_sorting_windows.c \ @@ -964,6 +973,7 @@ if test "$PHP_GRPC" != "no"; then PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/iomgr/poller) PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/json) PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/profiling) + PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/authorization) PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/context) PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials) PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/alts) @@ -999,8 +1009,10 @@ if test "$PHP_GRPC" != "no"; then PHP_ADD_BUILD_DIR($ext_builddir/src/php/ext/grpc) PHP_ADD_BUILD_DIR($ext_builddir/third_party/abseil-cpp/absl/base) PHP_ADD_BUILD_DIR($ext_builddir/third_party/abseil-cpp/absl/base/internal) + PHP_ADD_BUILD_DIR($ext_builddir/third_party/abseil-cpp/absl/container/internal) PHP_ADD_BUILD_DIR($ext_builddir/third_party/abseil-cpp/absl/debugging) PHP_ADD_BUILD_DIR($ext_builddir/third_party/abseil-cpp/absl/debugging/internal) + PHP_ADD_BUILD_DIR($ext_builddir/third_party/abseil-cpp/absl/hash/internal) PHP_ADD_BUILD_DIR($ext_builddir/third_party/abseil-cpp/absl/numeric) PHP_ADD_BUILD_DIR($ext_builddir/third_party/abseil-cpp/absl/status) PHP_ADD_BUILD_DIR($ext_builddir/third_party/abseil-cpp/absl/strings) diff --git a/config.w32 b/config.w32 index 76df40bc91c..44abe47a3f1 100644 --- a/config.w32 +++ b/config.w32 @@ -360,6 +360,8 @@ if (PHP_GRPC != "no") { "src\\core\\lib\\json\\json_writer.cc " + "src\\core\\lib\\profiling\\basic_timers.cc " + "src\\core\\lib\\profiling\\stap_timers.cc " + + "src\\core\\lib\\security\\authorization\\authorization_engine.cc " + + "src\\core\\lib\\security\\authorization\\evaluate_args.cc " + "src\\core\\lib\\security\\context\\security_context.cc " + "src\\core\\lib\\security\\credentials\\alts\\alts_credentials.cc " + "src\\core\\lib\\security\\credentials\\alts\\check_gcp_environment.cc " + @@ -482,6 +484,7 @@ if (PHP_GRPC != "no") { "src\\php\\ext\\grpc\\timeval.c " + "third_party\\abseil-cpp\\absl\\base\\dynamic_annotations.cc " + "third_party\\abseil-cpp\\absl\\base\\internal\\cycleclock.cc " + + "third_party\\abseil-cpp\\absl\\base\\internal\\exponential_biased.cc " + "third_party\\abseil-cpp\\absl\\base\\internal\\low_level_alloc.cc " + "third_party\\abseil-cpp\\absl\\base\\internal\\raw_logging.cc " + "third_party\\abseil-cpp\\absl\\base\\internal\\spinlock.cc " + @@ -491,12 +494,17 @@ if (PHP_GRPC != "no") { "third_party\\abseil-cpp\\absl\\base\\internal\\throw_delegate.cc " + "third_party\\abseil-cpp\\absl\\base\\internal\\unscaledcycleclock.cc " + "third_party\\abseil-cpp\\absl\\base\\log_severity.cc " + + "third_party\\abseil-cpp\\absl\\container\\internal\\hashtablez_sampler.cc " + + "third_party\\abseil-cpp\\absl\\container\\internal\\hashtablez_sampler_force_weak_definition.cc " + + "third_party\\abseil-cpp\\absl\\container\\internal\\raw_hash_set.cc " + "third_party\\abseil-cpp\\absl\\debugging\\internal\\address_is_readable.cc " + "third_party\\abseil-cpp\\absl\\debugging\\internal\\demangle.cc " + "third_party\\abseil-cpp\\absl\\debugging\\internal\\elf_mem_image.cc " + "third_party\\abseil-cpp\\absl\\debugging\\internal\\vdso_support.cc " + "third_party\\abseil-cpp\\absl\\debugging\\stacktrace.cc " + "third_party\\abseil-cpp\\absl\\debugging\\symbolize.cc " + + "third_party\\abseil-cpp\\absl\\hash\\internal\\city.cc " + + "third_party\\abseil-cpp\\absl\\hash\\internal\\hash.cc " + "third_party\\abseil-cpp\\absl\\numeric\\int128.cc " + "third_party\\abseil-cpp\\absl\\status\\status.cc " + "third_party\\abseil-cpp\\absl\\status\\status_payload_printer.cc " + @@ -547,6 +555,7 @@ if (PHP_GRPC != "no") { "third_party\\abseil-cpp\\absl\\time\\internal\\cctz\\src\\zone_info_source.cc " + "third_party\\abseil-cpp\\absl\\time\\time.cc " + "third_party\\abseil-cpp\\absl\\types\\bad_optional_access.cc " + + "third_party\\abseil-cpp\\absl\\types\\bad_variant_access.cc " + "third_party\\address_sorting\\address_sorting.c " + "third_party\\address_sorting\\address_sorting_posix.c " + "third_party\\address_sorting\\address_sorting_windows.c " + @@ -1007,6 +1016,7 @@ if (PHP_GRPC != "no") { FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\json"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\profiling"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security"); + FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\authorization"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\context"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\alts"); @@ -1049,8 +1059,12 @@ if (PHP_GRPC != "no") { FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl\\base"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl\\base\\internal"); + FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl\\container"); + FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl\\container\\internal"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl\\debugging"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl\\debugging\\internal"); + FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl\\hash"); + FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl\\hash\\internal"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl\\numeric"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl\\status"); FSO.CreateFolder(base_dir+"\\ext\\grpc\\third_party\\abseil-cpp\\absl\\strings"); diff --git a/gRPC-C++.podspec b/gRPC-C++.podspec index 35f93c587c8..b17c29a7f3a 100644 --- a/gRPC-C++.podspec +++ b/gRPC-C++.podspec @@ -201,6 +201,7 @@ Pod::Spec.new do |s| ss.dependency 'gRPC-Core', version abseil_version = '1.20200225.0' ss.dependency 'abseil/base/base', abseil_version + ss.dependency 'abseil/container/flat_hash_set', abseil_version ss.dependency 'abseil/container/inlined_vector', abseil_version ss.dependency 'abseil/memory/memory', abseil_version ss.dependency 'abseil/status/status', abseil_version @@ -513,6 +514,10 @@ Pod::Spec.new do |s| 'src/core/lib/iomgr/work_serializer.h', 'src/core/lib/json/json.h', 'src/core/lib/profiling/timers.h', + 'src/core/lib/security/authorization/authorization_engine.h', + 'src/core/lib/security/authorization/evaluate_args.h', + 'src/core/lib/security/authorization/mock_cel/activation.h', + 'src/core/lib/security/authorization/mock_cel/cel_value.h', 'src/core/lib/security/context/security_context.h', 'src/core/lib/security/credentials/alts/alts_credentials.h', 'src/core/lib/security/credentials/alts/check_gcp_environment.h', @@ -1003,6 +1008,10 @@ Pod::Spec.new do |s| 'src/core/lib/iomgr/work_serializer.h', 'src/core/lib/json/json.h', 'src/core/lib/profiling/timers.h', + 'src/core/lib/security/authorization/authorization_engine.h', + 'src/core/lib/security/authorization/evaluate_args.h', + 'src/core/lib/security/authorization/mock_cel/activation.h', + 'src/core/lib/security/authorization/mock_cel/cel_value.h', 'src/core/lib/security/context/security_context.h', 'src/core/lib/security/credentials/alts/alts_credentials.h', 'src/core/lib/security/credentials/alts/check_gcp_environment.h', diff --git a/gRPC-Core.podspec b/gRPC-Core.podspec index b982ab76cb2..b264b5ec151 100644 --- a/gRPC-Core.podspec +++ b/gRPC-Core.podspec @@ -175,6 +175,7 @@ Pod::Spec.new do |s| ss.dependency 'BoringSSL-GRPC', '0.0.12' abseil_version = '1.20200225.0' ss.dependency 'abseil/base/base', abseil_version + ss.dependency 'abseil/container/flat_hash_set', abseil_version ss.dependency 'abseil/container/inlined_vector', abseil_version ss.dependency 'abseil/memory/memory', abseil_version ss.dependency 'abseil/status/status', abseil_version @@ -842,6 +843,12 @@ Pod::Spec.new do |s| 'src/core/lib/profiling/basic_timers.cc', 'src/core/lib/profiling/stap_timers.cc', 'src/core/lib/profiling/timers.h', + 'src/core/lib/security/authorization/authorization_engine.cc', + 'src/core/lib/security/authorization/authorization_engine.h', + 'src/core/lib/security/authorization/evaluate_args.cc', + 'src/core/lib/security/authorization/evaluate_args.h', + 'src/core/lib/security/authorization/mock_cel/activation.h', + 'src/core/lib/security/authorization/mock_cel/cel_value.h', 'src/core/lib/security/context/security_context.cc', 'src/core/lib/security/context/security_context.h', 'src/core/lib/security/credentials/alts/alts_credentials.cc', @@ -1412,6 +1419,10 @@ Pod::Spec.new do |s| 'src/core/lib/iomgr/work_serializer.h', 'src/core/lib/json/json.h', 'src/core/lib/profiling/timers.h', + 'src/core/lib/security/authorization/authorization_engine.h', + 'src/core/lib/security/authorization/evaluate_args.h', + 'src/core/lib/security/authorization/mock_cel/activation.h', + 'src/core/lib/security/authorization/mock_cel/cel_value.h', 'src/core/lib/security/context/security_context.h', 'src/core/lib/security/credentials/alts/alts_credentials.h', 'src/core/lib/security/credentials/alts/check_gcp_environment.h', @@ -1673,6 +1684,8 @@ Pod::Spec.new do |s| 'test/core/util/cmdline.h', 'test/core/util/debugger_macros.cc', 'test/core/util/debugger_macros.h', + 'test/core/util/eval_args_mock_endpoint.cc', + 'test/core/util/eval_args_mock_endpoint.h', 'test/core/util/fuzzer_util.cc', 'test/core/util/fuzzer_util.h', 'test/core/util/grpc_profiler.cc', diff --git a/grpc.gemspec b/grpc.gemspec index c5bd2207a09..4060a7ef09b 100644 --- a/grpc.gemspec +++ b/grpc.gemspec @@ -761,6 +761,12 @@ Gem::Specification.new do |s| s.files += %w( src/core/lib/profiling/basic_timers.cc ) s.files += %w( src/core/lib/profiling/stap_timers.cc ) s.files += %w( src/core/lib/profiling/timers.h ) + s.files += %w( src/core/lib/security/authorization/authorization_engine.cc ) + s.files += %w( src/core/lib/security/authorization/authorization_engine.h ) + s.files += %w( src/core/lib/security/authorization/evaluate_args.cc ) + s.files += %w( src/core/lib/security/authorization/evaluate_args.h ) + s.files += %w( src/core/lib/security/authorization/mock_cel/activation.h ) + s.files += %w( src/core/lib/security/authorization/mock_cel/cel_value.h ) s.files += %w( src/core/lib/security/context/security_context.cc ) s.files += %w( src/core/lib/security/context/security_context.h ) s.files += %w( src/core/lib/security/credentials/alts/alts_credentials.cc ) @@ -966,6 +972,7 @@ Gem::Specification.new do |s| s.files += %w( src/core/tsi/transport_security_grpc.h ) s.files += %w( src/core/tsi/transport_security_interface.h ) s.files += %w( third_party/abseil-cpp/absl/algorithm/algorithm.h ) + s.files += %w( third_party/abseil-cpp/absl/algorithm/container.h ) s.files += %w( third_party/abseil-cpp/absl/base/attributes.h ) s.files += %w( third_party/abseil-cpp/absl/base/call_once.h ) s.files += %w( third_party/abseil-cpp/absl/base/casts.h ) @@ -980,6 +987,8 @@ Gem::Specification.new do |s| s.files += %w( third_party/abseil-cpp/absl/base/internal/direct_mmap.h ) s.files += %w( third_party/abseil-cpp/absl/base/internal/endian.h ) s.files += %w( third_party/abseil-cpp/absl/base/internal/errno_saver.h ) + s.files += %w( third_party/abseil-cpp/absl/base/internal/exponential_biased.cc ) + s.files += %w( third_party/abseil-cpp/absl/base/internal/exponential_biased.h ) s.files += %w( third_party/abseil-cpp/absl/base/internal/hide_ptr.h ) s.files += %w( third_party/abseil-cpp/absl/base/internal/identity.h ) s.files += %w( third_party/abseil-cpp/absl/base/internal/inline_variable.h ) @@ -1019,9 +1028,22 @@ Gem::Specification.new do |s| s.files += %w( third_party/abseil-cpp/absl/base/port.h ) s.files += %w( third_party/abseil-cpp/absl/base/thread_annotations.h ) s.files += %w( third_party/abseil-cpp/absl/container/fixed_array.h ) + s.files += %w( third_party/abseil-cpp/absl/container/flat_hash_set.h ) s.files += %w( third_party/abseil-cpp/absl/container/inlined_vector.h ) + s.files += %w( third_party/abseil-cpp/absl/container/internal/common.h ) s.files += %w( third_party/abseil-cpp/absl/container/internal/compressed_tuple.h ) + s.files += %w( third_party/abseil-cpp/absl/container/internal/container_memory.h ) + s.files += %w( third_party/abseil-cpp/absl/container/internal/hash_function_defaults.h ) + s.files += %w( third_party/abseil-cpp/absl/container/internal/hash_policy_traits.h ) + s.files += %w( third_party/abseil-cpp/absl/container/internal/hashtable_debug_hooks.h ) + s.files += %w( third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.cc ) + s.files += %w( third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.h ) + s.files += %w( third_party/abseil-cpp/absl/container/internal/hashtablez_sampler_force_weak_definition.cc ) + s.files += %w( third_party/abseil-cpp/absl/container/internal/have_sse.h ) s.files += %w( third_party/abseil-cpp/absl/container/internal/inlined_vector.h ) + s.files += %w( third_party/abseil-cpp/absl/container/internal/layout.h ) + s.files += %w( third_party/abseil-cpp/absl/container/internal/raw_hash_set.cc ) + s.files += %w( third_party/abseil-cpp/absl/container/internal/raw_hash_set.h ) s.files += %w( third_party/abseil-cpp/absl/debugging/internal/address_is_readable.cc ) s.files += %w( third_party/abseil-cpp/absl/debugging/internal/address_is_readable.h ) s.files += %w( third_party/abseil-cpp/absl/debugging/internal/demangle.cc ) @@ -1048,6 +1070,11 @@ Gem::Specification.new do |s| s.files += %w( third_party/abseil-cpp/absl/debugging/symbolize_win32.inc ) s.files += %w( third_party/abseil-cpp/absl/functional/function_ref.h ) s.files += %w( third_party/abseil-cpp/absl/functional/internal/function_ref.h ) + s.files += %w( third_party/abseil-cpp/absl/hash/hash.h ) + s.files += %w( third_party/abseil-cpp/absl/hash/internal/city.cc ) + s.files += %w( third_party/abseil-cpp/absl/hash/internal/city.h ) + s.files += %w( third_party/abseil-cpp/absl/hash/internal/hash.cc ) + s.files += %w( third_party/abseil-cpp/absl/hash/internal/hash.h ) s.files += %w( third_party/abseil-cpp/absl/memory/memory.h ) s.files += %w( third_party/abseil-cpp/absl/meta/type_traits.h ) s.files += %w( third_party/abseil-cpp/absl/numeric/int128.cc ) @@ -1165,10 +1192,14 @@ Gem::Specification.new do |s| s.files += %w( third_party/abseil-cpp/absl/time/time.h ) s.files += %w( third_party/abseil-cpp/absl/types/bad_optional_access.cc ) s.files += %w( third_party/abseil-cpp/absl/types/bad_optional_access.h ) + s.files += %w( third_party/abseil-cpp/absl/types/bad_variant_access.cc ) + s.files += %w( third_party/abseil-cpp/absl/types/bad_variant_access.h ) s.files += %w( third_party/abseil-cpp/absl/types/internal/optional.h ) s.files += %w( third_party/abseil-cpp/absl/types/internal/span.h ) + s.files += %w( third_party/abseil-cpp/absl/types/internal/variant.h ) s.files += %w( third_party/abseil-cpp/absl/types/optional.h ) s.files += %w( third_party/abseil-cpp/absl/types/span.h ) + s.files += %w( third_party/abseil-cpp/absl/types/variant.h ) s.files += %w( third_party/abseil-cpp/absl/utility/utility.h ) s.files += %w( third_party/address_sorting/address_sorting.c ) s.files += %w( third_party/address_sorting/address_sorting_internal.h ) diff --git a/grpc.gyp b/grpc.gyp index ae7d87c9d69..468e4d43186 100644 --- a/grpc.gyp +++ b/grpc.gyp @@ -438,6 +438,7 @@ 'absl/strings:strings', 'absl/status:status', 'absl/container:inlined_vector', + 'absl/container:flat_hash_set', ], 'sources': [ 'src/core/ext/filters/census/grpc_context.cc', @@ -753,6 +754,8 @@ 'src/core/lib/iomgr/work_serializer.cc', 'src/core/lib/json/json_reader.cc', 'src/core/lib/json/json_writer.cc', + 'src/core/lib/security/authorization/authorization_engine.cc', + 'src/core/lib/security/authorization/evaluate_args.cc', 'src/core/lib/security/context/security_context.cc', 'src/core/lib/security/credentials/alts/alts_credentials.cc', 'src/core/lib/security/credentials/alts/check_gcp_environment.cc', @@ -890,6 +893,7 @@ 'sources': [ 'test/core/util/cmdline.cc', 'test/core/util/debugger_macros.cc', + 'test/core/util/eval_args_mock_endpoint.cc', 'test/core/util/fuzzer_util.cc', 'test/core/util/grpc_profiler.cc', 'test/core/util/histogram.cc', @@ -922,6 +926,7 @@ 'sources': [ 'test/core/util/cmdline.cc', 'test/core/util/debugger_macros.cc', + 'test/core/util/eval_args_mock_endpoint.cc', 'test/core/util/fuzzer_util.cc', 'test/core/util/grpc_profiler.cc', 'test/core/util/histogram.cc', diff --git a/package.xml b/package.xml index 717113b2d79..fc26c837c46 100644 --- a/package.xml +++ b/package.xml @@ -741,6 +741,12 @@ + + + + + + @@ -968,6 +974,7 @@ + @@ -982,6 +989,8 @@ + + @@ -1021,9 +1030,22 @@ + + + + + + + + + + + + + @@ -1050,6 +1072,11 @@ + + + + + @@ -1167,10 +1194,14 @@ + + + + diff --git a/src/core/lib/security/authorization/authorization_engine.cc b/src/core/lib/security/authorization/authorization_engine.cc index 58e23f991cf..8e6a63dc21b 100644 --- a/src/core/lib/security/authorization/authorization_engine.cc +++ b/src/core/lib/security/authorization/authorization_engine.cc @@ -20,6 +20,22 @@ namespace grpc_core { +namespace { + +// Symbols for traversing Envoy Attributes +constexpr char kUrlPath[] = "url_path"; +constexpr char kHost[] = "host"; +constexpr char kMethod[] = "method"; +constexpr char kHeaders[] = "headers"; +constexpr char kSourceAddress[] = "source_address"; +constexpr char kSourcePort[] = "source_port"; +constexpr char kDestinationAddress[] = "destination_address"; +constexpr char kDestinationPort[] = "destination_port"; +constexpr char kSpiffeId[] = "spiffe_id"; +constexpr char kCertServerName[] = "cert_server_name"; + +} // namespace + std::unique_ptr AuthorizationEngine::CreateAuthorizationEngine( const std::vector& rbac_policies) { @@ -74,4 +90,88 @@ AuthorizationEngine::AuthorizationEngine( } } +std::unique_ptr AuthorizationEngine::CreateActivation( + const EvaluateArgs& args) { + std::unique_ptr activation; + for (const auto& elem : envoy_attributes_) { + if (elem == kUrlPath) { + absl::string_view url_path(args.GetPath()); + if (!url_path.empty()) { + activation->InsertValue(kUrlPath, + mock_cel::CelValue::CreateStringView(url_path)); + } + } else if (elem == kHost) { + absl::string_view host(args.GetHost()); + if (!host.empty()) { + activation->InsertValue(kHost, + mock_cel::CelValue::CreateStringView(host)); + } + } else if (elem == kMethod) { + absl::string_view method(args.GetMethod()); + if (!method.empty()) { + activation->InsertValue(kMethod, + mock_cel::CelValue::CreateStringView(method)); + } + } else if (elem == kHeaders) { + std::multimap headers = + args.GetHeaders(); + std::vector> + header_items; + for (const auto& header_key : header_keys_) { + auto header_item = headers.find(header_key); + if (header_item != headers.end()) { + header_items.push_back( + std::pair( + mock_cel::CelValue::CreateStringView(header_key), + mock_cel::CelValue::CreateStringView(header_item->second))); + } + } + headers_ = mock_cel::ContainerBackedMapImpl::Create( + absl::Span>( + header_items)); + activation->InsertValue(kHeaders, + mock_cel::CelValue::CreateMap(headers_.get())); + } else if (elem == kSourceAddress) { + absl::string_view source_address(args.GetPeerAddress()); + if (!source_address.empty()) { + activation->InsertValue( + kSourceAddress, + mock_cel::CelValue::CreateStringView(source_address)); + } + } else if (elem == kSourcePort) { + activation->InsertValue( + kSourcePort, mock_cel::CelValue::CreateInt64(args.GetPeerPort())); + } else if (elem == kDestinationAddress) { + absl::string_view destination_address(args.GetLocalAddress()); + if (!destination_address.empty()) { + activation->InsertValue( + kDestinationAddress, + mock_cel::CelValue::CreateStringView(destination_address)); + } + } else if (elem == kDestinationPort) { + activation->InsertValue(kDestinationPort, mock_cel::CelValue::CreateInt64( + args.GetLocalPort())); + } else if (elem == kSpiffeId) { + absl::string_view spiffe_id(args.GetSpiffeId()); + if (!spiffe_id.empty()) { + activation->InsertValue( + kSpiffeId, mock_cel::CelValue::CreateStringView(spiffe_id)); + } + } else if (elem == kCertServerName) { + absl::string_view cert_server_name(args.GetCertServerName()); + if (!cert_server_name.empty()) { + activation->InsertValue( + kCertServerName, + mock_cel::CelValue::CreateStringView(cert_server_name)); + } + } else { + gpr_log(GPR_ERROR, + "Error: Authorization engine does not support evaluating " + "attribute %s.", + elem.c_str()); + } + } + return activation; +} + } // namespace grpc_core diff --git a/src/core/lib/security/authorization/authorization_engine.h b/src/core/lib/security/authorization/authorization_engine.h index 406cebbc452..809784c334e 100644 --- a/src/core/lib/security/authorization/authorization_engine.h +++ b/src/core/lib/security/authorization/authorization_engine.h @@ -24,10 +24,14 @@ #include #include -#include "src/core/ext/upb-generated/envoy/config/rbac/v3/rbac.upb.h" -#include "src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.h" +#include "absl/container/flat_hash_set.h" +#include "envoy/config/rbac/v3/rbac.upb.h" +#include "google/api/expr/v1alpha1/syntax.upb.h" #include "upb/upb.hpp" +#include "src/core/lib/security/authorization/evaluate_args.h" +#include "src/core/lib/security/authorization/mock_cel/activation.h" + namespace grpc_core { // AuthorizationEngine makes an AuthorizationDecision to ALLOW or DENY the @@ -62,11 +66,17 @@ class AuthorizationEngine { kDeny, }; + std::unique_ptr CreateActivation( + const EvaluateArgs& args); + std::map deny_if_matched_; std::map allow_if_matched_; upb::Arena arena_; + absl::flat_hash_set envoy_attributes_; + absl::flat_hash_set header_keys_; + std::unique_ptr headers_; }; } // namespace grpc_core diff --git a/src/core/lib/security/authorization/evaluate_args.cc b/src/core/lib/security/authorization/evaluate_args.cc index dc6484550a4..68f6cb803d3 100644 --- a/src/core/lib/security/authorization/evaluate_args.cc +++ b/src/core/lib/security/authorization/evaluate_args.cc @@ -20,6 +20,9 @@ #include "src/core/lib/security/authorization/evaluate_args.h" +#include "src/core/lib/iomgr/parse_address.h" +#include "src/core/lib/iomgr/resolve_address.h" +#include "src/core/lib/iomgr/sockaddr_utils.h" #include "src/core/lib/slice/slice_utils.h" namespace grpc_core { @@ -69,6 +72,58 @@ std::multimap EvaluateArgs::GetHeaders() return headers; } +absl::string_view EvaluateArgs::GetLocalAddress() const { + absl::string_view addr = grpc_endpoint_get_local_address(endpoint_); + size_t first_colon = addr.find(":"); + size_t last_colon = addr.rfind(":"); + if (first_colon == std::string::npos || last_colon == std::string::npos) { + return ""; + } else { + return addr.substr(first_colon + 1, last_colon - first_colon - 1); + } +} + +int EvaluateArgs::GetLocalPort() const { + if (endpoint_ == nullptr) { + return 0; + } + grpc_uri* uri = grpc_uri_parse( + std::string(grpc_endpoint_get_local_address(endpoint_)).c_str(), true); + grpc_resolved_address resolved_addr; + if (uri == nullptr || !grpc_parse_uri(uri, &resolved_addr)) { + grpc_uri_destroy(uri); + return 0; + } + grpc_uri_destroy(uri); + return grpc_sockaddr_get_port(&resolved_addr); +} + +absl::string_view EvaluateArgs::GetPeerAddress() const { + absl::string_view addr = grpc_endpoint_get_peer(endpoint_); + size_t first_colon = addr.find(":"); + size_t last_colon = addr.rfind(":"); + if (first_colon == std::string::npos || last_colon == std::string::npos) { + return ""; + } else { + return addr.substr(first_colon + 1, last_colon - first_colon - 1); + } +} + +int EvaluateArgs::GetPeerPort() const { + if (endpoint_ == nullptr) { + return 0; + } + grpc_uri* uri = grpc_uri_parse( + std::string(grpc_endpoint_get_peer(endpoint_)).c_str(), true); + grpc_resolved_address resolved_addr; + if (uri == nullptr || !grpc_parse_uri(uri, &resolved_addr)) { + grpc_uri_destroy(uri); + return 0; + } + grpc_uri_destroy(uri); + return grpc_sockaddr_get_port(&resolved_addr); +} + absl::string_view EvaluateArgs::GetSpiffeId() const { if (auth_context_ == nullptr) { return ""; diff --git a/src/core/lib/security/authorization/evaluate_args.h b/src/core/lib/security/authorization/evaluate_args.h index da5b606fba1..e258f72bc87 100644 --- a/src/core/lib/security/authorization/evaluate_args.h +++ b/src/core/lib/security/authorization/evaluate_args.h @@ -32,12 +32,17 @@ namespace grpc_core { class EvaluateArgs { public: EvaluateArgs(grpc_metadata_batch* metadata, grpc_auth_context* auth_context, - grpc_endpoint* endpoint); + grpc_endpoint* endpoint) + : metadata_(metadata), auth_context_(auth_context), endpoint_(endpoint) {} absl::string_view GetPath() const; absl::string_view GetHost() const; absl::string_view GetMethod() const; std::multimap GetHeaders() const; + absl::string_view GetLocalAddress() const; + int GetLocalPort() const; + absl::string_view GetPeerAddress() const; + int GetPeerPort() const; absl::string_view GetSpiffeId() const; absl::string_view GetCertServerName() const; diff --git a/src/core/lib/security/authorization/mock_cel/cel_value.h b/src/core/lib/security/authorization/mock_cel/cel_value.h index 735c96652c5..e0217521cc1 100644 --- a/src/core/lib/security/authorization/mock_cel/cel_value.h +++ b/src/core/lib/security/authorization/mock_cel/cel_value.h @@ -38,7 +38,10 @@ namespace grpc_core { namespace mock_cel { // Break cyclic depdendencies for container types. -class CelMap; +class CelMap { + public: + CelMap() = default; +}; // This is a temporary stub implementation of CEL APIs. // Once gRPC imports the CEL library, this class will be removed. @@ -73,6 +76,17 @@ class CelValue { explicit CelValue(T value) {} }; +// CelMap implementation that uses STL map container as backing storage. +class ContainerBackedMapImpl : public CelMap { + public: + ContainerBackedMapImpl() = default; + + static std::unique_ptr Create( + absl::Span> key_values) { + return absl::make_unique(); + } +}; + } // namespace mock_cel } // namespace grpc_core diff --git a/src/python/grpcio/grpc_core_dependencies.py b/src/python/grpcio/grpc_core_dependencies.py index 4e9d4ae3ce2..88cd4d7e0c8 100644 --- a/src/python/grpcio/grpc_core_dependencies.py +++ b/src/python/grpcio/grpc_core_dependencies.py @@ -369,6 +369,8 @@ CORE_SOURCE_FILES = [ 'src/core/lib/json/json_writer.cc', 'src/core/lib/profiling/basic_timers.cc', 'src/core/lib/profiling/stap_timers.cc', + 'src/core/lib/security/authorization/authorization_engine.cc', + 'src/core/lib/security/authorization/evaluate_args.cc', 'src/core/lib/security/context/security_context.cc', 'src/core/lib/security/credentials/alts/alts_credentials.cc', 'src/core/lib/security/credentials/alts/check_gcp_environment.cc', @@ -481,6 +483,7 @@ CORE_SOURCE_FILES = [ 'src/core/tsi/transport_security_grpc.cc', 'third_party/abseil-cpp/absl/base/dynamic_annotations.cc', 'third_party/abseil-cpp/absl/base/internal/cycleclock.cc', + 'third_party/abseil-cpp/absl/base/internal/exponential_biased.cc', 'third_party/abseil-cpp/absl/base/internal/low_level_alloc.cc', 'third_party/abseil-cpp/absl/base/internal/raw_logging.cc', 'third_party/abseil-cpp/absl/base/internal/spinlock.cc', @@ -490,12 +493,17 @@ CORE_SOURCE_FILES = [ 'third_party/abseil-cpp/absl/base/internal/throw_delegate.cc', 'third_party/abseil-cpp/absl/base/internal/unscaledcycleclock.cc', 'third_party/abseil-cpp/absl/base/log_severity.cc', + 'third_party/abseil-cpp/absl/container/internal/hashtablez_sampler.cc', + 'third_party/abseil-cpp/absl/container/internal/hashtablez_sampler_force_weak_definition.cc', + 'third_party/abseil-cpp/absl/container/internal/raw_hash_set.cc', 'third_party/abseil-cpp/absl/debugging/internal/address_is_readable.cc', 'third_party/abseil-cpp/absl/debugging/internal/demangle.cc', 'third_party/abseil-cpp/absl/debugging/internal/elf_mem_image.cc', 'third_party/abseil-cpp/absl/debugging/internal/vdso_support.cc', 'third_party/abseil-cpp/absl/debugging/stacktrace.cc', 'third_party/abseil-cpp/absl/debugging/symbolize.cc', + 'third_party/abseil-cpp/absl/hash/internal/city.cc', + 'third_party/abseil-cpp/absl/hash/internal/hash.cc', 'third_party/abseil-cpp/absl/numeric/int128.cc', 'third_party/abseil-cpp/absl/status/status.cc', 'third_party/abseil-cpp/absl/status/status_payload_printer.cc', @@ -546,6 +554,7 @@ CORE_SOURCE_FILES = [ 'third_party/abseil-cpp/absl/time/internal/cctz/src/zone_info_source.cc', 'third_party/abseil-cpp/absl/time/time.cc', 'third_party/abseil-cpp/absl/types/bad_optional_access.cc', + 'third_party/abseil-cpp/absl/types/bad_variant_access.cc', 'third_party/address_sorting/address_sorting.c', 'third_party/address_sorting/address_sorting_posix.c', 'third_party/address_sorting/address_sorting_windows.c', diff --git a/test/core/security/BUILD b/test/core/security/BUILD index 3d404a2b0e7..9a4daaa2b78 100644 --- a/test/core/security/BUILD +++ b/test/core/security/BUILD @@ -79,7 +79,7 @@ grpc_cc_test( language = "C++", deps = [ "//:gpr", - "//:grpc_authorization_engine", + "//:grpc", "//test/core/util:grpc_test_util", ], ) @@ -95,6 +95,19 @@ grpc_cc_test( ], ) +grpc_cc_test( + name = "evaluate_args_test", + srcs = ["evaluate_args_test.cc"], + external_deps = ["gtest"], + language = "C++", + deps = [ + "//:gpr", + "//:grpc", + "//test/core/util:grpc_test_util", + "//test/core/util:grpc_test_util_base", + ], +) + grpc_cc_test( name = "json_token_test", srcs = ["json_token_test.cc"], diff --git a/test/core/security/evaluate_args_test.cc b/test/core/security/evaluate_args_test.cc new file mode 100644 index 00000000000..394344dd60e --- /dev/null +++ b/test/core/security/evaluate_args_test.cc @@ -0,0 +1,76 @@ +// Copyright 2020 gRPC authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#include + +#include +#include "absl/strings/string_view.h" + +#include "src/core/lib/security/authorization/evaluate_args.h" +#include "test/core/util/eval_args_mock_endpoint.h" + +namespace grpc_core { + +class EvaluateArgsTest : public ::testing::Test { + protected: + void SetUp() override { + local_address_ = "255.255.255.255"; + peer_address_ = "128.128.128.128"; + local_port_ = 413; + peer_port_ = 314; + endpoint_ = CreateEvalArgsMockEndpoint(local_address_.c_str(), local_port_, + peer_address_.c_str(), peer_port_); + evaluate_args_ = + absl::make_unique(nullptr, nullptr, endpoint_); + } + void TearDown() override { grpc_endpoint_destroy(endpoint_); } + grpc_endpoint* endpoint_; + std::unique_ptr evaluate_args_; + std::string local_address_; + std::string peer_address_; + int local_port_; + int peer_port_; +}; + +TEST_F(EvaluateArgsTest, TestEvaluateArgsLocalAddress) { + absl::string_view src_address = evaluate_args_->GetLocalAddress(); + EXPECT_EQ(src_address, local_address_) + << "Error: Failed to extract correct Local address from EvaluateArgs."; +} + +TEST_F(EvaluateArgsTest, TestEvaluateArgsLocalPort) { + int src_port = evaluate_args_->GetLocalPort(); + EXPECT_EQ(src_port, local_port_) + << "Error: Failed to extract correct Local port from EvaluateArgs."; +} + +TEST_F(EvaluateArgsTest, TestEvaluateArgsPeerAddress) { + absl::string_view dest_address = evaluate_args_->GetPeerAddress(); + EXPECT_EQ(dest_address, peer_address_) + << "Error: Failed to extract correct Peer address from " + "EvaluateArgs. "; +} + +TEST_F(EvaluateArgsTest, TestEvaluateArgsPeerPort) { + int dest_port = evaluate_args_->GetPeerPort(); + EXPECT_EQ(dest_port, peer_port_) + << "Error: Failed to extract correct Peer port from EvaluateArgs."; +} + +} // namespace grpc_core + +int main(int argc, char** argv) { + ::testing::InitGoogleTest(&argc, argv); + return RUN_ALL_TESTS(); +} diff --git a/test/core/util/BUILD b/test/core/util/BUILD index 86811da9215..35a396de687 100644 --- a/test/core/util/BUILD +++ b/test/core/util/BUILD @@ -38,6 +38,7 @@ grpc_cc_library( name = "grpc_test_util_base", srcs = [ "cmdline.cc", + "eval_args_mock_endpoint.cc", "fuzzer_util.cc", "grpc_profiler.cc", "histogram.cc", @@ -59,6 +60,7 @@ grpc_cc_library( ], hdrs = [ "cmdline.h", + "eval_args_mock_endpoint.h", "fuzzer_util.h", "grpc_profiler.h", "histogram.h", diff --git a/test/core/util/eval_args_mock_endpoint.cc b/test/core/util/eval_args_mock_endpoint.cc new file mode 100644 index 00000000000..bd41d4b4191 --- /dev/null +++ b/test/core/util/eval_args_mock_endpoint.cc @@ -0,0 +1,118 @@ +// Copyright 2020 gRPC authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#include + +#include "test/core/util/eval_args_mock_endpoint.h" + +#include + +#include + +#include "absl/strings/str_format.h" + +#include +#include +#include "src/core/lib/iomgr/sockaddr.h" +#include "src/core/lib/iomgr/sockaddr_utils.h" + +namespace grpc_core { + +class EvalArgsMockEndpoint { + public: + EvalArgsMockEndpoint(absl::string_view local_uri, absl::string_view peer_uri) + : local_address_(local_uri), peer_(peer_uri) { + base_.vtable = &vtable_; + } + grpc_endpoint* base() const { return const_cast(&base_); } + static void Read(grpc_endpoint* ep, grpc_slice_buffer* slices, + grpc_closure* cb, bool unused) {} + static void Write(grpc_endpoint* ep, grpc_slice_buffer* slices, + grpc_closure* cb, void* unused) {} + static void AddToPollset(grpc_endpoint* ep, grpc_pollset* unused) {} + static void AddToPollsetSet(grpc_endpoint* ep, grpc_pollset_set* unused) {} + static void DeleteFromPollsetSet(grpc_endpoint* ep, + grpc_pollset_set* unused) {} + static void Shutdown(grpc_endpoint* ep, grpc_error* why) {} + static void Destroy(grpc_endpoint* ep) { + EvalArgsMockEndpoint* m = reinterpret_cast(ep); + delete m; + } + + static absl::string_view GetPeer(grpc_endpoint* ep) { + EvalArgsMockEndpoint* m = reinterpret_cast(ep); + return m->peer_; + } + + static absl::string_view GetLocalAddress(grpc_endpoint* ep) { + EvalArgsMockEndpoint* m = reinterpret_cast(ep); + return m->local_address_; + } + + static grpc_resource_user* GetResourceUser(grpc_endpoint* ep) { + return nullptr; + } + + static int GetFd(grpc_endpoint* unused) { return -1; } + static bool CanTrackErr(grpc_endpoint* unused) { return false; } + + private: + static constexpr grpc_endpoint_vtable vtable_ = { + EvalArgsMockEndpoint::Read, + EvalArgsMockEndpoint::Write, + EvalArgsMockEndpoint::AddToPollset, + EvalArgsMockEndpoint::AddToPollsetSet, + EvalArgsMockEndpoint::DeleteFromPollsetSet, + EvalArgsMockEndpoint::Shutdown, + EvalArgsMockEndpoint::Destroy, + EvalArgsMockEndpoint::GetResourceUser, + EvalArgsMockEndpoint::GetPeer, + EvalArgsMockEndpoint::GetLocalAddress, + EvalArgsMockEndpoint::GetFd, + EvalArgsMockEndpoint::CanTrackErr}; + grpc_endpoint base_; + std::string local_address_; + std::string peer_; +}; + +constexpr grpc_endpoint_vtable EvalArgsMockEndpoint::vtable_; + +namespace { + +std::string NameAndPortToURI(const char* addr, const int port) { + grpc_sockaddr_in address; + memset(&address, 0, sizeof(address)); + address.sin_family = AF_INET; + address.sin_port = htons(port); + inet_pton(AF_INET, addr, &address.sin_addr); + grpc_resolved_address resolved; + memset(&resolved, 0, sizeof(resolved)); + memcpy(resolved.addr, &address, sizeof(address)); + resolved.len = sizeof(address); + return grpc_sockaddr_to_uri(&resolved); +} + +} // namespace + +grpc_endpoint* CreateEvalArgsMockEndpoint(const char* local_address, + const int local_port, + const char* peer_address, + const int peer_port) { + EvalArgsMockEndpoint* m = + new EvalArgsMockEndpoint(NameAndPortToURI(local_address, local_port), + NameAndPortToURI(peer_address, peer_port)); + return m->base(); +} + +} // namespace grpc_core diff --git a/test/core/util/eval_args_mock_endpoint.h b/test/core/util/eval_args_mock_endpoint.h new file mode 100644 index 00000000000..68b32cc891e --- /dev/null +++ b/test/core/util/eval_args_mock_endpoint.h @@ -0,0 +1,31 @@ +// Copyright 2020 gRPC authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#ifndef GRPC_TEST_CORE_UTIL_EVAL_ARGS_MOCK_ENDPOINT_H +#define GRPC_TEST_CORE_UTIL_EVAL_ARGS_MOCK_ENDPOINT_H + +#include + +#include "src/core/lib/iomgr/endpoint.h" + +namespace grpc_core { + +grpc_endpoint* CreateEvalArgsMockEndpoint(const char* local_address, + const int local_port, + const char* peer_address, + const int peer_port); + +} // namespace grpc_core + +#endif // GRPC_TEST_CORE_UTIL_EVAL_ARGS_MOCK_ENDPOINT_H diff --git a/tools/doxygen/Doxyfile.c++.internal b/tools/doxygen/Doxyfile.c++.internal index 69342b452a9..50a1f978c33 100644 --- a/tools/doxygen/Doxyfile.c++.internal +++ b/tools/doxygen/Doxyfile.c++.internal @@ -1710,6 +1710,12 @@ src/core/lib/json/json_writer.cc \ src/core/lib/profiling/basic_timers.cc \ src/core/lib/profiling/stap_timers.cc \ src/core/lib/profiling/timers.h \ +src/core/lib/security/authorization/authorization_engine.cc \ +src/core/lib/security/authorization/authorization_engine.h \ +src/core/lib/security/authorization/evaluate_args.cc \ +src/core/lib/security/authorization/evaluate_args.h \ +src/core/lib/security/authorization/mock_cel/activation.h \ +src/core/lib/security/authorization/mock_cel/cel_value.h \ src/core/lib/security/context/security_context.cc \ src/core/lib/security/context/security_context.h \ src/core/lib/security/credentials/alts/alts_credentials.cc \ diff --git a/tools/doxygen/Doxyfile.core.internal b/tools/doxygen/Doxyfile.core.internal index c9aedb9b822..3b4fb2252d3 100644 --- a/tools/doxygen/Doxyfile.core.internal +++ b/tools/doxygen/Doxyfile.core.internal @@ -1537,6 +1537,12 @@ src/core/lib/json/json_writer.cc \ src/core/lib/profiling/basic_timers.cc \ src/core/lib/profiling/stap_timers.cc \ src/core/lib/profiling/timers.h \ +src/core/lib/security/authorization/authorization_engine.cc \ +src/core/lib/security/authorization/authorization_engine.h \ +src/core/lib/security/authorization/evaluate_args.cc \ +src/core/lib/security/authorization/evaluate_args.h \ +src/core/lib/security/authorization/mock_cel/activation.h \ +src/core/lib/security/authorization/mock_cel/cel_value.h \ src/core/lib/security/context/security_context.cc \ src/core/lib/security/context/security_context.h \ src/core/lib/security/credentials/alts/alts_credentials.cc \ diff --git a/tools/run_tests/generated/tests.json b/tools/run_tests/generated/tests.json index 47188111351..756f75c9682 100644 --- a/tools/run_tests/generated/tests.json +++ b/tools/run_tests/generated/tests.json @@ -4313,6 +4313,30 @@ ], "uses_polling": true }, + { + "args": [], + "benchmark": false, + "ci_platforms": [ + "linux", + "mac", + "posix", + "windows" + ], + "cpu_cost": 1.0, + "exclude_configs": [], + "exclude_iomgrs": [], + "flaky": false, + "gtest": true, + "language": "c++", + "name": "evaluate_args_test", + "platforms": [ + "linux", + "mac", + "posix", + "windows" + ], + "uses_polling": true + }, { "args": [], "benchmark": false,